The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Thursday, December 10, 2015

Privacy Commissioner tables annual report on privacy in the federal government

The highlight of the Annual Report is an audit across government departments regarding the use of portable storage devices. Some might find it ironic, since the Office of the Privacy Commissioner recently lost a portable storage device containing personal information of its employees.

GATINEAU, QC, December 10, 2015 – The Privacy Commissioner of Canada is urging federal departments and agencies to develop and implement more rigorous procedures and safeguards to protect Canadians’ personal information.

This call comes as the Commissioner’s 2014-15 Annual Report on the Privacy Act was tabled today in Parliament, highlighting a record-high number of federal government data breaches reported to his Office and the results of an audit of the government’s management of portable storage devices.

“Many institutions have made some strides to better protect personal information,” says Commissioner Daniel Therrien. “That being said, the breach reports we’ve received, the results of our investigations and our latest audit all suggest there is still much room for improvement.”

Federal institutions reported 256 data breaches in 2014-2015, up from 228 breaches reported the year before—which itself was double the number reported a year earlier. As in previous years, the leading cause of breaches was accidental disclosure, a risk which can often be mitigated by more rigorous procedures.

Last year marked the first time institutions were required to report data breaches to the Privacy Commissioner. Until then, reporting was voluntary.

“Effectively protecting personal information is a challenge we do not want to minimize,” says Commissioner Therrien. “However, given that Canadians are required to provide very sensitive information to federal departments and agencies, the government’s duty of care is paramount.”

The annual report includes details of a recently completed audit which found that gaps in the federal government’s management of portable storage devices, such as memory sticks, are potentially putting the personal information of Canadians at risk.

The audit concluded that, while federal institutions do have policies, processes and controls related to portable storage devices, there is significant room for improvement in order to reduce the risk of privacy breaches.

Portable storage devices are convenient because they can hold huge amounts of data and are generally small and highly portable. But it is those attributes that also create significant privacy and security risks.

“These devices can be easily lost, misplaced or stolen. Without proper controls, federal institutions are running the risk that the personal information of Canadians will be lost or inappropriately accessed,” says Commissioner Therrien.

The audit was prompted by concerns over a number of federal government data breaches involving portable storage devices, including a 2012 incident in which a portable hard drive containing the personal information of almost 600,000 student loan recipients went missing.

The audit, which included a detailed examination of 17 institutions, identified a number of concerns, including:

More than two-thirds (70%) of the institutions had not formally assessed the risks surrounding the use of all types of portable storage devices.

More than 90% did not track all portable storage devices throughout their lifecycle.

More than 85% did not retain records verifying the secure destruction of data retained on surplus or defective portable storage devices.

One-quarter did not enforce the use of encrypted USB storage devices.

Two-thirds did not have technical controls in place to prevent the connection of unauthorized portable storage devices (for example, privately owned device) on their networks, and more than half (55%) had not assessed the risk to personal information resulting from the absence of such controls.

There were also weaknesses in the security settings to protect data held on smart phones at some of the audited entities. These included, for example, a lack of encryption, strong password controls, or controls to prevent users from installing unauthorized applications.

The audited institutions have accepted all recommendations made in the audit.

“We hope all federal institutions will take note of the audit and its recommendations with respect to portable storage devices,” says Commissioner Therrien. “The audit highlights some preventive steps that can and must be taken to curtail breaches. There is a need for greater vigilance when it comes to protecting the personal information that Canadians entrust to their federal government.”

About the Office of the Privacy Commissioner of Canada

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law.

Please note that I am only able to provide legal advice to clients of my firm. If you have a privacy matter, please contact me about becoming a client. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser may not be protected by solicitor-client privilege.

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Due to professional ethics, the author may not be able to comment on matters in which a client has an interest. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.